While implementing DORA compliance is crucial for financial institutions, it introduces several organizational and operational challenges. In the first and second parts of this blogseries, we demonstrated that meeting DORA requirements goes beyond maintaining the register. And that the DORA compliance framework requires a structured and consistent approach and collaboration across departments. However, there are additional obstacles that may complicate following the DORA compliance checklist or meeting the DORA compliance deadline.

1. Unclear ownership
   ‍One of the pitfalls in DORA implementations is unclear accountability. Which department is responsible for which aspect, and who takes on central coordination? In Blog 2 of this series, we already discussed the need for collaboration between departments. Without clearly defined ownership, organizations risk inconsistency and delays. This may result in double work (wasting time and resources) or, worse, gaps in reporting — which could ultimately result in non-compliance with DORA requirements.
   ‍
2. Manual processes and spreadsheets
   ‍Organizations rely on manual processes and spreadsheets for contract management and risk management. Tracking changes, managing versions, and responding to new requirements all become significantly harder. We often see this in practice, but it is also highlighted in the advice in the EBA’s research (point 57, page 17) to use appropriate digital tools to maintain registers in compliance with DORA and automatically format them for regulatory reporting.
   Additionally, manual processes and spreadsheets increase the risk of errors and inefficient workflows, such as incomplete information being stored across multiple locations or missed and forgotten deadlines. This makes organizations more vulnerable to compliance risks and operational problems. When regulations change and manual processes are not scalable, complexity increases.
   ‍
3. Manual processes and spreadsheets
   Implementing and staying compliant with DORA requires resources. These may not be sufficiently available in every organization or may not be easily scaled up. The EBA research mentioned above conducted in 2024 also showed that available resources are often insufficient for establishing the register, let alone for other essential tasks like risk management, supplier management, and long-term DORA compliance. Where resources do exist, they are often primarily allocated to establishing the register.
   Without additional budgets or personnel, the pressure on existing teams increases, leading to delays, errors and compliance risks. With penalties for non-compliance with DORA such as (high) fines, revoked licences, and even personal liability for executives (Art. 50 to 54). Moreover, the lack of sufficient capacity forces organizations to remain reactive rather than proactive — ultimately undermining the organization’s ability to proactively manage risk.
   ‍
4. Lack of structured data
   ‍Failing to properly structure data for reporting and management is another pitfall. Organizations must not only meet reporting obligations but also gain insights to better manage risks. Poorly structured data makes reporting processes cumbersome and prone to errors. This can result in incomplete or inconsistent reports, leading to additional rounds of checks and corrections, and possibly even fines or penalties.
   ‍
5. Lack of expertise
   ‍Many organizations that Birdseye consults with, struggle with translating DORA requirements into workable operational processes. A lack of specialized knowledge about certain compliance risks within parts of the organization or with certain individual employees can lead to inefficient implementations and unnecessary delays. This specific knowledge, experience or expertise might be available in other departments or individuals within the organization though.
   ‍
6. Uncertainty about what is necessary
   ‍DORA sets clear frameworks but also leaves room for interpretation. This creates uncertainty about which measures are truly necessary and how deeply certain processes must be structured. In many cases individuals use their own interpretations, which can lead to fragmented, ad-hoc solutions. Organizations that try to establish a completely new DORA compliance framework often waste valuable time on reinterpretations and restructuring, unnecessarily slowing down implementation and increasing pressure on compliance teams.

Avoid wasting time

The real risk during DORA implementation is focusing on the wrong activities — such as manually maintaining information and creating a register — instead of prioritizing continuous compliance. Resources end up being misallocated instead of supporting strategic, high-value activities. This ultimately leads to time wasted, weaker compliance, and frustration and higher dissatisfaction among employees. Continuous compliance done the right way enhances operational resilience. Such operational resilience — enabling organizations to interpret regulations in context, take timely action and manage and maintain control in a dynamic risk environment — is exactly what DORA aims to achieve.